When sensitive data relating to financial transactions is transmitted or stored in electronic form, it is often desirable to secure the data in some manner. In electronic funds transfers, debits or credits, security is presently accomplished by encrypting sensitive portions of the data using a data encryption algorithm known as the Data Encryption Standard, or DES. DES was formally adopted by the United States National Bureau of Standards in 1983 and is described in Federal Information Processing Standards Publication FIBS PUB 46 dated Jan. 15, 1977, which is hereby incorporated by reference. DES operates using a 64 bit key that is used to encrypt and decrypt data.
In modern financial transactions, customers use point of service machines, such as automatic teller machines (ATMs) or point of sale (POS) terminals, to conduct financial transactions at locations remote from the customer's bank or other financial institution. Data relating to such transactions must be transferred electronically to the customer's financial institution to verify and record the transaction. Data is typically transmitted back to the ATM or POS terminal to authorize or deny the transaction.
To enable an ATM or POS transaction, a customer is typically issued a financial transaction identification card, or bank card, and a corresponding personal identification number (PIN) by the customer's financial institution. The bank card includes at least one magnetic stripe on which information relating to the customer and issuing institution is stored. To conduct a transaction, the ATM or POS terminal must read preselected information from the magnetic stripe and transmit it to the issuing institution along with the customer's PIN which is entered by the customer at the time of the transaction. The PIN is designed to act as a primary security measure as it is necessary to have the bank card and know the PIN in order to complete a transaction.
Because of the sensitive nature of the data transmitted back and forth during an ATM or POS transaction, at least some of the data is normally encrypted using DES to reduce the risk of interception and compromise. At present, this is accomplished by encrypting the PIN, for example, using a DES key secured within the POS terminal. The DES key itself is often encrypted using additional DES keys to provide further layers of security, and keys are preferably stored in secure hardware devices to avoid compromise. Encrypted data from a POS terminal will then be transmitted to a computer controlling a number of POS terminals where the appropriate DES keys are stored and the data will be decrypted.
In order to arrive at issuing institution's computer to verify and record the transaction, the data will normally be transmitted through a chain of multiple computers, with data encryption and decryption occurring at each node or link in the chain. Each encryption and decryption operation introduces expense in associated hardware needs and ongoing security measures to maintain and periodically change DES keys. Decryption and reencryption at numerous intermediate locations also results in multiple periods during the transmission when the data is not secure. Further, multiple encryption and decryption operations slow down data transmission, an especially undesirable result in a POS environment where merchants want minimum delays in processing customer transactions. As such, the current methods and systems for securing electronic data in financial transactions are undesirable in that they are relatively expensive, leave the data unsecured at various times during transmission, and introduce delays into the transmission process.
Existing documents describing known data encryption techniques and financial institution standards include the following which are hereby incorporated by reference:
Reference documents from International Organization for Standardization:
(1) ISO 7811/2, Identification cards - Recording technique - Part 2: Magnetic stripe. PA1 (2) ISO 7813, Identification cards - Financial transaction cards. PA1 (3) ISO TC68/SC2 Working draft N177 and N178, Banking - Personal Identification Number Management and Security - Part 1: PIN protection principles and technique. PA1 (4) ISO 4909, Bank Cards - Magnetic stripe data content for track 3. PA1 Reference documents from American National Standards Committee, X9-Financial Services: PA1 (1) ANSI X3.92 Data Encryption Algorithm (DEA PA1 (2) ANSI X9.8, American National Standard for PIN Management and Security. PA1 (3) ANSI X9.19, Financial Institution Retail Message Authentication. PA1 (4) ANSI X9.24, Draft 5.0, Financial services - Retail Key Management. PA1 Reference documents from U.S. Department of Commerce/National Bureau of Standards: PA1 (1) FIPS PUB 46, Federal Information Processing Standards publication - Data Encryption Standard.